Articles, notes and random thoughts on Software Development and Technology
Expression-based Access Control allows you to annotate specific methods with access rules. To enable, add the following element to your webmvc-config.xml file for your Roo webapp (not the security context file, it must be in the context file for the web app):
<security:global-method-security pre-post-annotations="enabled"/>
The explanation for why this needs to be in your webapp context is covered here.
By default, after you’ve added Spring Security to your Roo app with ‘security setup’, you get an example config in a applicationContext-security.xml file like this:
<http auto-config="true" use-expressions="true">
<form-login login-processing-url="/resources/j_spring_security_check" login-page="/login" authentication-failure-url="/login?login_error=t"/>
<logout logout-url="/resources/j_spring_security_logout"/>
<!-- Configure these elements to secure URIs in your application -->
<intercept-url pattern="/choices/**" access="hasRole('ROLE_ADMIN')"/>
<intercept-url pattern="/member/**" access="isAuthenticated()" />
<intercept-url pattern="/resources/**" access="permitAll" />
<intercept-url pattern="/**" access="permitAll" />
</http>
The default pattern matching approach is to use Ant style path matching. If you need to be more specific for what URLs you need to define security against, then you can change to use regex style pattern matching by adding this attribute to the <http> element:
<http ... path-type="regex" ... >
Now, let’s say you need to have different roles for creating verses listing member records – Spring Roo uses a couple of GET parameters to distinguish between these actions, so using regex you can match on these like this:
<intercept-url pattern="/member?form" access="hasRole('ROLE_ADMIN')" />
<intercept-url pattern="/member?page.*" access="hasRole('ROLE_USER')" />
I’ve seen the news stories on TV and I’ve read a bunch of articles on many websites (like this one here on cnet).
As an Android user I hope the Carrier IQ software isn’t actually doing more than what they claim, but based on what the claimed purposes of the software are, it seems the coverage on the news has blown way out of proportion.
If my wireless carrier choses to use some software preinstalled on my phone that helps them diagnose network and phone issues to improve the service that I in turn receive as a customer, then thats a good thing and I’m perfectly ok with that.
I can see that it would be easy to jump to the conclusion that this software is tracking you and everything that you do with your phone, but the explanation from Carrier IQ themselves on what the software does doesn’t sound like this is true. Of course I hope what they’re saying is true, but in the meantime I think people need to calm down and stop throwing fearmongering stories out there and spreading FUD.
Isn’t it strange that the guy who released this information has not yet come forward to agree for an interview with anyone? For all we know he was paid rather nicely to put this information out there as disinformation and an attempt to derail the rapidly increasing success of Android and Android based devices. What makes this one guy more believable and trustworthy than the companies that he is accusing of illegal wiretapping? That’s quite a serious allegation. Especially if he overinflated his story.
WordPress posted an alert today that some plugins had been modified with suspicious backdoors – check this article if you use either AddThis, WPtouch, or W3 Total Cache